Cert-manager: Add support for Amazon Certificate Manager

Yes, but you can't download ACM certificates, because ACM won't give you the private key (right?). So this is not useful for Ingress's or in-cluster services. ACM is a different model from the CA, ACME / Let's Encrypt, and Vault models, since it doesn't actually let you have the certificate.

There are a couple useful scenarios for ACM for k8s Services, but nothing useful for Ingress's or in-cluster services:

1) Auto-import to ACM. After cert-manager issues a certificate with CA/ACME/Vault, it could auto-import it into ACM to e.g. be available for use with AWS load balancers or Cloudfront, or it could then update the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation on one or more Services to use that certificate.

2) Issue ACM certificates for AWS Load Balancer Services. cert-manager could have an Issuer variant that does not create a TLS Secret, but uses the new DNS validation option for ACM to request and validate a certificate (via Route53). And then update the service.beta.kubernetes.io/aws-load-balancer-ssl-cert annotation on one or more Services to use that certificate. Since ACM handles auto-renewal if you leave the DNS record in place. Nothing for cert-manager to do after that, other than delete the certificate if the Certificate resource is deleted.

Both are well outside the scope of cert-manager functions and are AWS-specific, but I imagine pull requests for these features would still be welcome.

I had scenario 2 in mind. I don't need this functionality right now, I just heard about this service and figured I'd file an issue to see if there's interest for someone to implement such a thing.

Thanks for the detailed breakdown of how ACM works @whereisaaron

When considering (1), this falls under 'alternate delivery mechanisms' for cert-manager certificates. It's something I've considered before (when considering how cert delivery-to-the-pod can work). Depending on how ACM works (whether it always manages private keys for the user) it may also be related to #303.

Right now, if a user wants to use cert-manager to issue certificates for ACM in this way, I'd advise they write a separate controller that watches secret resources and syncs appropriate ones to ACM (perhaps by annotation Certificate resources). This controller would then also upload those certificates to ACM if they change (e.g. after renewal by cert-manager). This solves the 'alternate delivery mechanism' issue by pushing it out of cert-manager core (i.e. it doesn't, we just decide to not support it).

For (2), this again kind of falls under alternate delivery (as there is no delivery). Updating an annotation on a service does seem slightly arbitrary though, and I'm not sure if it should be cert-manager's responsibility.

If anyone wants to try mocking up a proposal for this I'd be open to considering it, but it would need to touch on or at least consider how other delivery mechanisms may be implemented and expressed in future.

The newly announced ACM Private may have just made this relevant to non-ELB usage cases.

Should we create a separate issue for that, or is this one good enough? We'd actually be far more interested in the ACM Private->Kubernetes Secret usage case than for ELBs.

ACM (not private)

I'm not convinced that ELB "LoadBalancer" type services + ACM integration makes sense in this codebase.

That seems much more like a kubernetes cloud-provider feature, or a separate extension to it. It just doesn't really match up with the existing cert-manager concepts well IMO.

If it did end up in cert-manager, I think it would end up being a new resource type, a "CertificateStub", and that type would then be able to be referenced from certain other resources... but it really doesn't match the rest of what cert-manager does and has so many caveats that I don't think it's worth considering any time soon, if ever.

ACM Private

If no one else wants to, I might pick up the work to make an ACM Private issuer since I do think ACM private is a good match for cert-manager based on a quick skim of that post.

That looks quite handy and like it matches existing cert-manager concepts quite well.

I'm fine with either a new issue or re-purposing this one to track it.

👍 from a quick read of that ACM Private blog post, it seems like a perfect fit for a new Issuer type. I'd be happy to accept a PR that adds this functionality 😄

That said, we need to make sure the integration is properly tested. How do developers usually test things against AWS APIs to ensure they work?

I notice there's an associated cost with running a private ACM, so I don't think we can feasibly create real private CAs for use in tests unless we can 'work around' this cost 😄

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

/remove-lifecycle stale

Was there any movement towards adding ACM Private CA support?

I've not seen any PRs opened here for it!

On Mon, 24 Sep 2018 at 02:38, Rafael Fonseca notifications@github.com
wrote:

Was there any movement towards adding ACM Private CA support?

—
You are receiving this because you commented.

Reply to this email directly, view it on GitHub
https://github.com/jetstack/cert-manager/issues/333#issuecomment-423863527,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAMbP6VyIjQCvEybbaMqothH_NVUtAM9ks5ueDeXgaJpZM4SO6ID
.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

/remove-lifecycle stale

I'm going to take a crack at adding thing feature. I have a use case for ACM and having cert-manager handle the creation and rotation of certs would be awesome.

Created a PR for ACM Private CA here https://github.com/jetstack/cert-manager/pull/1391

Once that is merged I'll look into adding the non-private CA. I haven't used that one as much however so if someone else knows it better feel free to help out :)

:+1: for auto-import to ACM! This would work right with ALB IngressController!

I really love to have this PR merged as soon as possible! Excellent!

I misunderstood @rmb938's PR #1391. It is not to push cert-manager Let's Encrypt certificates to AWS Certificate Manager; That would be utterly fantastic feature for cert-manager for the aws-alb-ingress-controller and for CloudFront users. The PR is actually to use AWS Private CA to issue certs instead of cert-manager's own private CA support.

Both are good ideas for cert-manager, but only the first one excites me personally.

Since this is being discussed in the PR comments, there is interest for ACM Private! I am one of the people looking forward to it.

ACM Private is also a first step and would lead the way for ACM so I am very much in favor of it!

Looking a little bit wider many clouds offer a Certificate Manager that tends to work tightly with their L7 load balancers:

• AWS Cert Manager
• Google Managed Certificates
• Alibaba Cloud SSL Certificate Service
• Azure?
• IBM Cloud
  and many more ...

Perhaps it's a good time to invent an interface for these cloud providers to implement their providers out of certmanager's tree? Similar to k8s CNIs and CSIs, just for Certificate issuing.

Personal note, I haven't looked too far into it yet, but the new AWS ALB Ingress controller doesn't seem able to import certificates from the K8S cluster. My team has currently dropped into issuing certificates via terraform + ACM and then referencing the ARN in the Ingress annotation which is not fun. Perhaps I need to try again.

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle stale

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to jetstack.
/lifecycle rotten
/remove-lifecycle stale

Is there any progress on this issue? PR is submitted in April, now it is September already. The feature is more than welcome for many people.

/remove-lifecycle rotten

For the time being, I don't think we're going to proceed with this in the main codebase so I'm going to close issue.

If someone _does_ want to implement this still, I'd suggest implementing it as an out of tree Issuer which are now supported by default from v0.11 onwards 😄

@munnerz is there any docs on out of tree issuers? I have a custom one I wrote targeting 0.6 and was going to submit a PR once I got it merged with master but out of tree makes more since because I suspect the company's CA product is not used by too many people.

Any progress on this?

I am just reviving this a bit.. the awspca-issuer project looks dead (I have started an issue at https://github.com/codingvirtues/awspca-issuer/issues/5 to discuss). I would love to get some eyes on it though and see if we can revive it somewhere else so that it can be improved. Right now it is not quite production ready.